Wireless networks are complex; there are many technologies and protocols required to offer a stable wireless network to end-users. It also sounds scary to transmit data through the air, where everyone can listen to it.
Wired networks feel secure; after all, you can’t easily listen to this traffic. You could connect to a switchport, but the only unicast traffic you’ll see is the traffic between your computer and the switch. You will see multicast and broadcast traffic from within the VLAN, though.
Anyone can see the data that travels through the air, which is why wireless security is so important. Someone can monitor wireless traffic, and you won’t even notice that it’s happening.
In the 802.11 service sets lesson, you learned how wireless clients associate with APs. All wireless traffic has to go through the AP, instead of directly between the sender and receiver. Anyone in range of the AP or other wireless clients can receive the signal.
This can be a problem. For example, imagine we have a user who sends a password to a remote server:
The wireless user transmits a password to the remote server. Because the attacker is in range of our wireless network, he can capture the password.
How can we securely transmit data through the air and ensure that it remains private and is not tampered with? The 802.11 standard offers security mechanisms that provide authentication, encryption, and integrity. In this lesson, I’ll give you an overview of these three items.
To use a wireless network, the wireless client has to discover a BSS. APs advertise beacons with their SSID, and the wireless client selects the wireless network she wants to connect to and associates with the AP. By default, authentication is open, which means everyone is welcome.
You probably want to authenticate your wireless clients, though. If you have a corporate network, you don’t want just anyone to join the network. Only legitimate users should be able to use your wireless network. After all, the wireless network might be connected to the wired network where you can access all corporate resources.
What if you have guest users? If you want to offer a guest wireless network, you should configure a second SSID, linked to a VLAN with restricted access.
APs can authenticate wireless clients before they associate with the AP. This keeps rogue clients away from our wireless network.
There are many options for wireless authentication. You are probably familiar with the most common choice, a pre-shared key. We configure the pre-shared key on the AP. Any wireless client that wants to join the wireless network has to enter the pre-shared key.
What happens when someone steals one of the wireless clients? That’s a problem because of two main reasons:
- The attacker has access to your pre-shared key and can now connect to the wireless network from any device.
- You need to configure a new pre-shared key on the AP and all wireless clients.
There are stronger authentication options where we ask users for a username and password instead. This helps. When a device is stolen, at least you can pinpoint which username was compromised and reset the password for that username. You don’t have to reset the pre-shared key and configure it on all wireless clients.